b'                     AUDIT REPORT\n\n           Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n                       OIG-14-A-04-December 9, 2013\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n\n\n                                   December 9, 2013\n\n\nMEMORANDUM TO:              Mark A. Satorius\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S INFORMATION TECHNOLOGY\n                            GOVERNANCE (OIG-14-A-04)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled Audit of NRC\xe2\x80\x99s\nInformation Technology Governance.\n\nThe report presents the results of the subject audit. Following the November 22, 2013,\nexit conference, agency staff indicated that they had no formal comments for inclusion\nin this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0c                                            Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nEXECUTIVE SUMMARY\n\n   BACKGROUND\n\n        Information technology (IT) governance is the leadership, structures, and\n        processes that ensure that an organization\xe2\x80\x99s IT sustains and extends the\n        organization\xe2\x80\x99s strategies and objectives. Its overall objective is to ensure\n        that the organization can sustain its operations and implement strategies\n        required to meet future objectives using IT. IT governance is necessary to\n        manage information and employ IT to improve the productivity,\n        effectiveness, and efficiency of agency programs.\n\n\n   OBJECTIVE\n\n        The audit objective was to assess the effectiveness of the Nuclear\n        Regulatory Commission\xe2\x80\x99s (NRC) IT governance structure in meeting the\n        agency\xe2\x80\x99s current and future IT needs.\n\n\n\n   RESULTS IN BRIEF\n\n        NRC\xe2\x80\x99s IT governance is not fully meeting stakeholder needs. Federal\n        guidance states that proper guidance documentation and communication\n        are important factors in the success of agency programs. However,\n        NRC\xe2\x80\x99s IT governance framework and processes have not been effectively\n        documented and communicated. The Office of the Inspector General\n        found that the most prevailing issue area that stakeholders communicated\n        was a general lack of confidence in the Office of Information Services\xe2\x80\x99\n        (OIS) ability to deliver an acceptable level of customer service.\n        Additionally, confusion surrounding reassignment of OIS staff roles exists.\n        As a result, NRC may not be able to fully meet the agency\xe2\x80\x99s future IT\n        needs.\n\n\n\n   RECOMMENDATIONS\n\n        This report makes four recommendations to improve the effectiveness of\n        NRC\xe2\x80\x99s IT governance structure in meeting the agency\xe2\x80\x99s future IT needs.\n\n\n\n\n                                      i\n\x0c                                      Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nAGENCY COMMENTS\n\n    An exit conference was held with the agency on November 22, 2013.\n    Prior to this meeting, after reviewing a discussion draft, agency\n    management provided supplemental information that has been\n    incorporated into this report, as appropriate. As a result, agency\n    management stated their general agreement with the findings and\n    recommendations in this report and opted not to provide formal comments\n    for inclusion in this report.\n\n\n\n\n                                ii\n\x0c                                         Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\n\n   CIO      Chief Information Officer\n\n   CONOPS   OIS Reorganization Concept of Operations\n\n   IPEC     Information Technology/Information Management Portfolio\n            Executive Council\n\n   IT       Information Technology\n\n   ITB      Information Technology/Information Management Board\n\n   NRC      Nuclear Regulatory Commission\n\n   OMB      Office of Management and Budget\n\n   OIG      Office of the Inspector General\n\n   OIS      Office of Information Services\n\n\n\n\n                                   iii\n\x0c                                                               Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nTABLE OF CONTENTS\n\n\n\n    EXECUTIVE SUMMARY ....................................................................................... i\n\n    ABBREVIATIONS AND ACRONYNMS ................................................................ iii\n\n        I.       BACKGROUND .................................................................................... 1\n        II.      OBJECTIVE ......................................................................................... 6\n        III.     FINDING .............................................................................................. 6\n                    NRC\xe2\x80\x99s IT Governance Could Be Improved ....................................... 6\n                    Recommendations ........................................................................ 15\n        IV.      AGENCY COMMENTS....................................................................... 16\n\n    APPENDIX\n\n    OBJECTIVE, SCOPE, AND METHODOLODY................................................... 17\n\n\n\n\n                                                       iv\n\x0c                                                        Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nI.     BACKGROUND\n\n               Information technology (IT) governance is the leadership, structures, and\n               processes that ensure that an organization\xe2\x80\x99s IT sustains and extends the\n               organization\xe2\x80\x99s strategies and objectives. Its overall objective is to ensure\n               that the organization can sustain its operations and implement strategies\n               required to meet future objectives using IT. The increasing use of\n               technology has created a critical dependency on IT that requires a specific\n               focus on governance. Accordingly, IT governance is necessary to\n               manage information and employ IT to improve the productivity,\n               effectiveness, and efficiency of agency programs.\n\n               Federal Guidance\n\n               The Clinger-Cohen Act of 1996 was designed to improve the way the\n               Federal Government invests in IT. Since this law was enacted, the Chief\n               Information Officers (CIO) in Federal organizations have been assigned\n               primary responsibility for the management of Federal IT investments. This\n               includes specific procedural and policy-related responsibilities such as\n               capital planning, security, and enterprise architecture, as well as activities\n               for shaping the information culture of the agency such as leadership and\n               management.\n\n               In December 2010, the Office of Management and Budget (OMB) issued\n               its 25 Point Implementation Plan to Reform Federal Information\n               Technology Management, outlining activities to reform IT management\n               throughout the Federal Government. 1 The plan recommends more\n               effective management of large-scale IT programs by streamlining\n               governance and improving accountability. According to the plan, this\n               involves reforming and strengthening investment review boards to enable\n               them to more adequately manage agency portfolios, redefining the role of\n\n\n\n\n1\n  In January 2013, the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) Office of the Inspector General (OIG)\nissued audit report OIG-13-A-09, Audit of NRC\xe2\x80\x99s Progress in Carrying Out the 25 Point Implementation\nPlan to Reform Federal Information Technology Management. This report is publicly available in the NRC\nAgencywide Documents Access and Management System; see accession number ML13023A105.\n\n\n                                                  1\n\x0c                                                          Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n                  agency CIOs to focus on portfolio management, and rolling out face-to-\n                  face, evidence-based reviews of agency IT programs.\n\n                  In a 2011 memorandum, 2 OMB reiterated the need for CIOs to focus "on\n                  delivering IT solutions that support the mission and business effectiveness\n                  of their agencies and overcome bureaucratic impediments to deliver\n                  enterprise-wide solutions." One of the four areas singled out for increased\n                  attention was IT governance. The memorandum highlighted the role of\n                  the CIO to drive the investment review process and to have responsibility\n                  over the entire IT portfolio for an agency. The memorandum also stated\n                  that CIOs must work with Chief Financial Officers and Chief Acquisition\n                  Officers to ensure portfolio analysis is an integral part of the yearly budget\n                  process for an agency.\n\n                  NRC Guidance\n\n                  NRC\xe2\x80\x99s primary internal guidance for IT governance is Management\n                  Directive 2.8, Project Management Methodology (PMM). The directive\n                  identifies this methodology as the only approved methodology for IT\n                  investment management. This methodology facilitates effective selection,\n                  approval, management, oversight, reporting, and documentation of IT\n                  investments throughout their entire life cycle. This directive defines the\n                  major components of the methodology and assists NRC offices in locating\n                  more detailed information necessary to implement and use this\n                  methodology for managing IT investments.\n\n                  NRC IT Organizational Structure\n\n                  NRC\xe2\x80\x99s Deputy Executive Director for Corporate Management also serves\n                  as the agency\xe2\x80\x99s CIO. The CIO oversees NRC\xe2\x80\x99s agencywide Information\n                  Technology/Information Management program, and reports directly to\n                  NRC\xe2\x80\x99s Executive Director for Operations.\n\n                  The Office of Information Services (OIS) and the Computer Security Office\n                  report to the CIO. OIS is the primary office responsible for implementing\n                  NRC\xe2\x80\x99s IT governance. The office manages and operates the agency\xe2\x80\x99s IT\n                  infrastructure, provides information and records services, and coordinates\n\n\n2\n    OMB Memorandum M-11-29, Chief Information Officer Authorities, August 8, 2011.\n                                                   2\n\x0c                                          Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nprograms to assist with the development and maintenance of NRC\xe2\x80\x99s\nbusiness applications. OIS also manages the agency\xe2\x80\x99s IT strategic\nplanning, capital planning, and enterprise architecture activities. The\nComputer Security Office oversees the agency\xe2\x80\x99s IT security program,\nincluding policy, training, and authorization of IT systems. Figure 1 shows\nNRC\xe2\x80\x99s IT organizational structure.\n\n\nFigure 1: NRC IT Organizational Structure\n\n\n                Chairman/Commission\n\n\n\n\n                 Executive Director for\n                     Operations\n\n\n\n\n               Deputy Executive Director\n                     for Corporate\n                     Management/\n               Chief Information Officer\n\n\n\n\n             Office of             Computer\n           Information           Security Office\n             Services\n\n\n\nSource: OIG\n\n\n\n\n                                3\n\x0c                                    Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nIT Governance at NRC\n\nIn January 2012, NRC\xe2\x80\x99s CIO and Chief Financial Officer announced a plan\nto streamline and optimize the IT governance process. The plan included:\n\n   \xe2\x80\xa2   Replacing the Information Technology Senior Advisory Council with\n       a new Information Technology/Information Management Portfolio\n       Executive Council (IPEC) consisting primarily of NRC office\n       directors.\n\n   \xe2\x80\xa2   Replacing the Information Technology Business Council with the\n       Information Technology/Information Management Board (ITB),\n       which is an expanded version of the council that currently reviews\n       IT changes.\n\nThe IPEC is an executive management body established to determine\nNRC IT strategic direction and to manage the agency\xe2\x80\x99s IT portfolio. The\nIPEC sets current fiscal year priorities and determines the funding of IT\ninvestments that integrate into the IT portfolio. The IPEC is co-chaired by\nthe CIO and Chief Financial Officer and consists of nine voting members\nand seven advisory members. Its voting members consist primarily of\noffice directors from major NRC offices.\n\nThe ITB reports to the IPEC and is a review body established to review\nand recommend changes to the agency\'s IT architecture, including the\nportfolio of IT systems, technologies, and standards. The ITB\xe2\x80\x99s goal is to\nhelp align IT investments and technology standards with NRC\xe2\x80\x99s mission\nand ensure that the investments are made according to agency priorities.\nThe ITB reviews new proposals and current IT investments, alignment\nwith strategic direction, ability to integrate into NRC\xe2\x80\x99s IT architecture,\nconformance with technology standards, and potential risks to NRC\xe2\x80\x99s IT\nenvironment. Its members are office branch chiefs from the majority of\nNRC program and regional offices, including several representatives from\nOIS.\n\nOIS Reorganization\n\nIn April 2013, OIS initiated an office-wide reorganization. There were\nseveral reasons provided by OIS for the reorganization, namely:\n                              4\n\x0c                                                       Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n    \xe2\x80\xa2    The desire to become a more customer-centric organization.\n    \xe2\x80\xa2    Continued pressures to contain the IT budget.\n    \xe2\x80\xa2    Increased reliance on IT to accomplish NRC business.\n    \xe2\x80\xa2    A rapidly evolving IT environment.\n    \xe2\x80\xa2    The requirement to meet external mandates from oversight\n         agencies.\n\nOIS had traditionally focused on infrastructure services and managing\ndelivery of its technology products and services; however, industry\nguidance suggests a more holistic approach to managing services from\nend-to-end. Managing the entire business service along with its\nunderlying components would more likely assure that OIS delivers the\nrequired functionality and service levels to its stakeholders. The new\nstructure is intended to focus on service functions, improve outreach and\ncustomer services, develop an enterprise-level approach, and establish an\noverall sense of continuity. Figure 2 illustrates OIS\xe2\x80\x99 new organizational\nstructure as of April 2013.\n\nFigure 2: OIS Organizational Structure\n\n\n                                                 OIS\n\n\n\n     Information\nTechnology/Information\n                         Solutions Development                                Customer Service\n Management Portfolio                                   Operations Division\n                                 Division                                         Division\nManagement & Planning\n       Division\n\n\n\nSource: OIG\n\nTo provide direction and guidance, OIS created the OIS Reorganization\nConcept of Operations (CONOPS). The purpose of the CONOPS\ndocument is to help OIS staff understand the reorganization and achieve\ndesired results. The CONOPS provides guidance and a basic framework\nto assist OIS staff in understanding their roles and responsibilities and\nhow the new organization works.\n\n\n\n\n                                           5\n\x0c                                                    Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nII.      OBJECTIVE\n\n                The audit objective was to assess the effectiveness of NRC\xe2\x80\x99s IT\n                governance structure in meeting the agency\xe2\x80\x99s current and future IT needs.\n                The report appendix contains information on the audit scope and\n                methodology.\n\n\nIII.     FINDING\n\n         NRC\xe2\x80\x99s IT Governance Could Be Improved\n\n                NRC\xe2\x80\x99s IT governance is not fully meeting stakeholder needs. Federal\n                guidance states that proper guidance documentation and communication\n                are important factors in the success of agency programs. However,\n                NRC\xe2\x80\x99s IT governance framework and processes have not been effectively\n                documented and communicated. As a result, NRC may not be able to\n                fully meet the agency\xe2\x80\x99s future IT needs.\n\n                Requirements for Effective IT Governance\n\n                Documentation and communication are important factors in the success of\n                agency programs. Federal standards require agency processes to be\n                clearly documented and communicated. In implementing these standards,\n                management is responsible for developing internal controls \xe2\x80\x93 such as\n                detailed agency guidance, policies, procedures, and practices \xe2\x80\x93 to fit their\n                agency\xe2\x80\x99s operations and help staff understand and carry out their\n                responsibilities.\n\n                Documentation Is Required\n\n                Guidance documents help ensure that management\'s directives are\n                carried out. The U.S. Government Accountability Office\xe2\x80\x99s Standards for\n                Internal Control in the Federal Government 3 requires clearly documenting\n                processes at an appropriate level of detail to allow management to\n                effectively monitor the activity. The documentation must be properly\n                managed, maintained, and made available in order to meet its intended\n\n3\n    GAO/AIMD-00-21.3.1, November 1999.\n                                              6\n\x0c                                                          Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n                purpose. In addition, OMB recognizes the value of clearly documenting\n                agency guidance. OMB maintains that well-designed guidance\n                documents, if used properly, can appropriately direct agency employees\n                and increase efficiency.\n\n                Communication Is Required\n\n                Relevant, reliable, and timely communication is required to control\n                operations and achieve objectives. Information should be communicated\n                to those who need it, and within a timeframe that enables them to carry\n                out their responsibilities. Effective communication should occur in a broad\n                sense with information flowing down, across, and up the organization. In\n                addition, management should ensure there are adequate means of\n                communicating with, and obtaining information from, external stakeholders\n                that may have a significant impact on the agency achieving its goals.\n\n                Stakeholder Needs Not Being Met\n\n                NRC\xe2\x80\x99s IT governance is not fully meeting stakeholder 4 needs. During this\n                audit, OIG interviewed 42 of NRC\xe2\x80\x99s management and staff, many of whom\n                expressed concerns with several areas of NRC\xe2\x80\x99s IT governance process.\n\n                For example:\n\n                    \xe2\x80\xa2   Lack of confidence in OIS\xe2\x80\x99 ability to deliver an acceptable level of\n                        customer service.\n                    \xe2\x80\xa2   Effectiveness of the IPEC and ITB.\n                    \xe2\x80\xa2   Customer Service Division is incomplete.\n                    \xe2\x80\xa2   Milestones are incomplete or undocumented.\n                    \xe2\x80\xa2   Confusion surrounding reassignment of OIS staff roles.\n\n                Lack of Confidence in OIS\xe2\x80\x99 Ability to Deliver an Acceptable Level of\n                Customer Service\n\n                Perhaps the most prevailing issue area that stakeholders communicated\n                was a general lack of confidence in OIS. OIG interviewed NRC\n                employees from program and regional offices who have worked with OIS\n4\n For the purpose of this audit, the term \xe2\x80\x9cstakeholders\xe2\x80\x9d refers to all OIS customers, such as NRC program\nand regional offices.\n                                                   7\n\x0c                                                        Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n               on IT projects. Many stakeholders expressed concerns over OIS\xe2\x80\x99 inability\n               to deliver acceptable customer service.\n\n               A common theme was that stakeholders did not trust OIS to meet NRC\xe2\x80\x99s\n               IT needs based on their previous experiences. Some of the responses\n               included:\n\n                   \xe2\x80\xa2   OIS needing to be more customer-focused.\n                   \xe2\x80\xa2   OIS not understanding program offices\xe2\x80\x99 type of work or systems.\n                   \xe2\x80\xa2   OIS not having the capacity to do the job.\n                   \xe2\x80\xa2   OIS being more of a regulator and adding extra burdens to program\n                       offices.\n                   \xe2\x80\xa2   Some offices seek IT solutions from OIS only to end up doing the\n                       work themselves.\n\n               Due to this lack of confidence, some stakeholders within NRC have\n               circumvented OIS and the IT governance process and have created their\n               own systems, also known as \xe2\x80\x9cshadow IT\xe2\x80\x9d systems. 5\n\n               Effectiveness of the IPEC and ITB\n\n               Stakeholders interviewed widely praised the IPEC and ITB as a step in the\n               right direction and a significant improvement over their predecessors.\n               However, both entities have come under some criticism as some question\n               their effectiveness.\n\n               IPEC and ITB Working Relationships\n\n               Some stakeholders criticized the working relationship between the IPEC\n               and ITB. The IPEC, as a steering committee composed of office directors\n               and division directors, is supposed to make strategic decisions after they\n               are given alternatives resulting from the ITB\xe2\x80\x99s research on the technical\n               issues. However, there were instances where IPEC members found that\n               business cases and topics discussed were far more technical and detail-\n\n5\n Shadow IT is hardware or software within an enterprise that is not supported by the organization\xe2\x80\x99s\ncentral IT department. The term often carries a negative connotation because it implies that the IT\ndepartment has not approved the technology or does not even know employees are using it. Shadow IT\ncan introduce security risks when unsupported hardware and software are not subject to the same\nsecurity measures that are applied to supported technologies.\n                                                 8\n\x0c                                                            Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n                oriented than they anticipated. An IPEC member believed the ITB needed\n                to simplify its presentations so the IPEC could more easily make executive\n                decisions. Additionally, an ITB member was concerned that the ITB was\n                not making any hard decisions.\n\n                On the other hand, another IPEC member believed that some IPEC\n                members were not fully engaged with the IT governance process. The\n                IPEC member remarked that business leads must take ownership of their\n                systems. An ITB member opined that the IPEC should be more involved\n                with searching for IT solutions rather than just administratively processing\n                transactions. An OIS manager expressed concern that IPEC members\n                sometimes send their deputies to attend IPEC meetings and these\n                deputies are typically not as familiar with the other systems outside of their\n                area or business line.\n\n                ITB Composition\n\n                Stakeholders also commented on the ITB\xe2\x80\x99s composition and scope. The\n                ITB consists of 18 members covering a majority of NRC\xe2\x80\x99s program offices\n                and each regional office. An ITB member opined that the scope was \xe2\x80\x9cout\n                of control with too many fingers in the pie.\xe2\x80\x9d Another ITB member intimated\n                that some of the other ITB members may not be qualified. Finally, a\n                different ITB member asserted that only individuals from the Office of\n                Administration, the Computer Security Office, and OIS should compose\n                the ITB. In contrast, there were several members who expressed that\n                their regional or program office deserved an equal voice and did not want\n                membership restricted. 6\n\n                Approval Timeliness\n\n                According to stakeholders, another issue involving both the IPEC and ITB\n                is how long it takes to get any IT system or software approved. There is\n                currently no timetable or limit as to how long a decision may take. A\n                program office manager claimed that some staff believe that it takes too\n                long to get through the IT governance process. An NRC regional office\n\n6\n  OIG was recently informed that the ITB was in the midst of a transition that would divide the group into\ntwo parts: the ITB itself and a new architectural council. The ITB will focus on business needs while the\narchitectural council will focus on technological issues and consist solely of members from OIS and the\nComputer Security Office.\n                                                     9\n\x0c                                     Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nmanager said that speed is essential, and waiting 6 to 8 weeks for a\ndecision from OIS is unacceptable. Another manager indicated that the\napproval process can be burdensome because it takes too much time.\nThe manager believed the ITB had the right intentions, but can act as a\nrestraint as his staff is always asking how long it will take for OIS to do\nsomething. An OIS staff member admitted that these decisions can take\ntime, confirming that the IT approval process is slow and it can take a few\nweeks to go through all of the steps.\n\nIt should be noted that the ITB and IPEC member responsibilities are\ncollateral duties and are added to the existing workloads of the members\xe2\x80\x99\nprimary jobs. One ITB member opined that members of the ITB do not\nhave enough time for full integration and sequencing of their activities\nnecessary to support the approval and control process. With his\nnumerous roles in connection with the ITB, he does not have much time to\nfocus on everything in addition to all of his regular responsibilities.\n\nCustomer Service Division Is Incomplete\n\nAs stated earlier, one of the driving forces behind the OIS reorganization\nwas the desire to have OIS become more customer focused. During the\nreorganization in April 2013, OIS realigned its IT/IM services within four\ndivisions, with an emphasis on the Customer Service Division. However,\nas of August 2013, the Customer Service Division was the only division\nthat still had several vacant managerial positions. It is anticipated that the\nOIS reorganization will not be fully complete until the second quarter of\n2014 due to OIS\xe2\x80\x99 implementation of its new customer service strategy.\n\nMilestones Are Incomplete or Undocumented\n\nProgress toward some reorganization plan milestones is behind schedule\nand other milestones are undocumented. For example, in the OIS\nreorganization Implementation Plan, the development and revision of\nposition descriptions was scheduled for completion in May 2013, but has\nnot been completed. In addition, the OIS reorganization Communication\nPlan does not document whether any tasks have been completed.\n\n\n\n\n                              10\n\x0c                                    Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nConfusion Surrounding Reassignment of OIS Staff Roles\n\nOne of the major challenges OIS faced when going through its recent\nreorganization was reassigning roles and responsibilities to numerous\nstaff. The reorganization created some confusion \xe2\x80\x93 not only among\nstakeholders \xe2\x80\x93 but also among OIS staff regarding past and current\nresponsibilities. During the early stages of the reorganization, an OIS\nmanager claimed that very few OIS staff had transitioned to their new\nroles as the reorganization was an ongoing process. The manager said\nstaff needed to figure out their new roles, what old work they were taking\nwith them, and who they were transferring their old work to. Another OIS\nmanager admitted that some of the IT functions were not picked up as part\nof the new structure and therefore may have been overlooked. This may\nhave resulted in higher workloads and stress levels on some OIS\nmanagers and staff. Finally, an Office of Administration manager\nremarked that work was moving from person to person, apparently leading\nto some short-term confusion. Some OIS personnel were not sure what\nthey were supposed to be doing because some of the decisions regarding\nthe reorganization had yet to be made. Meanwhile, some stakeholders\nstated that they were not sure who to speak with in OIS since people have\nchanged positions and new divisions have been created.\n\nOIS Is Making Improvements\n\nWhile there has been some dissatisfaction from stakeholders, several\nhave also responded that they are quite satisfied with OIS and that things\nare much improved from the past. Further, OIS recognized that\nimprovements were needed and therefore assisted in creating the IPEC\nand ITB. In addition, OIS initiated its internal reorganization with a major\nfocus on improving customer service.\n\nFramework and Processes Not Effectively Documented or\nCommunicated\n\nThe documentation of NRC\xe2\x80\x99s IT governance framework and processes is\nnot comprehensive and has not been effectively communicated to its\nstakeholders. For example OIG found:\n\n\n\n                              11\n\x0c                                     Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n   \xe2\x80\xa2   Governance charters lack specificity.\n   \xe2\x80\xa2   Management Directive 2.8 is outdated.\n   \xe2\x80\xa2   The CONOPS is incomplete.\n   \xe2\x80\xa2   An overall lack of effective communication.\n\nFramework and Processes Not Effectively Documented\n\nGovernance Charters Lack Specificity\n\nThe IPEC and ITB charters lack specific details on IT governance\nprocesses. The charters are neither thorough nor specific enough to\nachieve their intended purposes. The groups\xe2\x80\x99 charters seek to align IT\ninvestments with NRC\xe2\x80\x99s business objectives; however, the charters do not\nmention how to achieve this intended purpose. For example, the charters\ndo not include information such as:\n\n   \xe2\x80\xa2   A minimum threshold for which ITB/IPEC approval may not be\n       needed.\n   \xe2\x80\xa2   A format for presenting IT cases.\n   \xe2\x80\xa2   A format for evaluating and approving IT cases.\n   \xe2\x80\xa2   Timelines and standards for making decisions and delivering\n       services.\n   \xe2\x80\xa2   A process for communicating IPEC decisions to program offices or\n       other interested parties.\n   \xe2\x80\xa2   A process for following up after a system is implemented.\n   \xe2\x80\xa2   A process for measuring the success of IPEC and ITB decisions.\n\nAn ITB member from a regional office talked about a specific IT issue his\noffice was facing and said he was not sure if this issue fit the ITB charter.\n\nAdditionally, when asked how the success of their final decisions is\nmeasured, some IPEC members said that they either did not know or did\nnot believe they had a formal way of doing this.\n\nManagement Directive 2.8 Is Outdated\n\nManagement Directive 2.8, Project Management Methodology (PMM), is\nthe sole guidance used for the IT investment management process, yet is\nmore than 6 years old and incomplete. NRC\xe2\x80\x99s policy is to ensure that IT\n                             12\n\x0c                                     Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\ninvestments are planned, built, selected, managed, and evaluated to\nmaximize the value and minimize the risks of those investments in\naccordance with Federal statutes and regulations. However, the directive\ndoes not address how IT aligns with the agency\xe2\x80\x99s objectives, and does not\neven use or define the term \xe2\x80\x9cIT governance.\xe2\x80\x9d Furthermore, NRC\xe2\x80\x99s Project\nManagement Methodology Web page depicts an older IT governance\nstructure.\n\nThe Concept of Operations (CONOPS) Is Incomplete\n\nThe CONOPS provides guidance and a basic framework to assist OIS\nstaff in understanding their roles and responsibilities and how the new OIS\norganization works; however, the CONOPS is still in draft and is\nincomplete. Stakeholder interviews describe a lack of clarity for who in\nOIS is responsible for what. Based on OIG\xe2\x80\x99s review, there is no indication\nas to how OIS tracks and documents the evolving nature of the OIS\norganization and its effect on operations and the CONOPS framework.\nThere is also no indication of how OIS is tracking and measuring the\nexpected benefits of the reorganization.\n\nAccording to industry best practices, when implementing an IT\ngovernance framework, it is important to evaluate the implementation\nefforts by developing measures to assess progress in meeting objectives.\nLessons learned and recommendations for improving the investment\nprocess should be developed, documented, and distributed to all\nstakeholders.\n\nFramework and Processes Not Effectively Communicated\n\nThe IT governance framework and processes have not been effectively\ncommunicated to stakeholders. OIS management has not communicated\nthe requirements of the ITB/IPEC evaluation and approval process,\nincluding details of individual roles and responsibilities, service followup,\nproject tracking, and matrices to measure the success of its decisions that\ndirectly affect program and regional offices. This has resulted in a lack of\nstakeholder buy-in. According to industry best practices, to effectively\nimplement a new IT governance framework, organizations should obtain\nbuy-in by involving all key stakeholders to ensure key perspectives are\nconsidered and facilitate adoption. Taking these steps increases the\n\n                              13\n\x0c                                    Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nlikelihood that the new IT governance process will be adopted despite the\nsignificant cultural change it represents. An OIS manager stated that OIS\nhad openly communicated the upcoming reorganizational changes to\nstakeholders, but did not believe OIS was necessarily required to obtain\nbuy-in from stakeholders.\n\nIt should be noted that OIS management provided OIG an Implementation\nPlan and a Communications Plan concerning the office\xe2\x80\x99s reorganization.\nOIS also sought feedback from its staff prior to the reorganization by\nconducting several meetings and sending out emails and surveys asking\nfor staff comments. While OIS took these positive steps, OIG found that\nsome confusion still existed among stakeholders and OIS staff and that\nthe information provided by OIS may not have been communicated\neffectively. For example, in addition to stakeholders\xe2\x80\x99 issues previously\nmentioned in this report, OIS employees exhibited some contradictions\ndisplaying a lack of effective communication. For instance:\n\n   \xe2\x80\xa2   One OIS employee stated that the OIS reorganization was fully\n       operational, another said it would be fully operational by October\n       2013, and another said it would be fully operational in 2nd quarter\n       of 2014.\n   \xe2\x80\xa2   One OIS employee said that people were still transitioning and\n       trying to figure out their new roles, while another OIS employee\n       said that OIS staff had been settled in their roles for quite some\n       time.\n   \xe2\x80\xa2   An ITB member questioned why even small program office\n       purchases must go through the ITB, while an IPEC member\n       countered that program offices can purchase whatever they want\n       as long as they have the money for it.\n\nAgency\xe2\x80\x99s IT Needs May Not Be Met\n\nNRC may not be able to fully meet the agency\xe2\x80\x99s future IT needs without\ncomprehensive and communicated documentation of NRC\xe2\x80\x99s IT\ngovernance framework and processes. Specifically, there is a lack of\nassurance that IT services and management can be adequately provided\nto the agency. Some stakeholders believe that OIS has not provided\nsufficient customer service and have yet to be convinced that OIS can be\ncounted upon to deliver an acceptable level of service. As a result, some\n                             14\n\x0c                                        Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\n     stakeholders have been circumventing OIS and the governance process\n     by approving or creating their own shadow IT systems. This, in turn,\n     creates a less effective IT governance process which may result in\n     possible IT security breaches, compliance issues, and investment waste.\n\n\nRecommendations\n\n     OIG recommends that the Executive Director for Operations:\n\n\n     1. Revise the IPEC and ITB charters to more clearly define:\n\n           \xe2\x80\xa2   Roles and responsibilities.\n           \xe2\x80\xa2   The evaluation, approval, and decision followup process.\n\n\n     2. Revise NRC Management Directive 2.8 to include:\n\n           \xe2\x80\xa2   Current IT governance stakeholder requirements.\n           \xe2\x80\xa2   A definition of IT governance, structure, and processes.\n\n     3. Update and finalize the CONOPS to be consistent with current\n        practice, including a schedule for full implementation.\n\n\n     4. Develop and implement a comprehensive IT governance\n        communication strategy that:\n\n           \xe2\x80\xa2   Promotes buy-in from regional and program office stakeholders\n               by requesting feedback.\n           \xe2\x80\xa2   Clearly explains policies and procedures of the IPEC and ITB\n               charters, as well as the CONOPS, to all stakeholders.\n           \xe2\x80\xa2   Provides easily retrievable access to the updated charters and\n               CONOPS.\n\n\n\n\n                                  15\n\x0c                                           Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nIV.   AGENCY COMMENTS\n\n\n         An exit conference was held with the agency on November 22, 2013.\n         Prior to this meeting, after reviewing a discussion draft, agency\n         management provided supplemental information that has been\n         incorporated into this report, as appropriate. As a result, agency\n         management stated their general agreement with the findings and\n         recommendations in this report and opted not to provide formal comments\n         for inclusion in this report.\n\n\n\n\n                                     16\n\x0c                                                Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n                                                                                     Appendix\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\n    OBJECTIVE\n\n            The audit objective was to assess the effectiveness of NRC\xe2\x80\x99s IT\n            governance structure in meeting the agency\xe2\x80\x99s current and future IT needs.\n\n    SCOPE\n\n            The audit reviewed NRC\xe2\x80\x99s activities related to IT governance with special\n            emphasis on framework and processes. OIG conducted this performance\n            audit from March 2013 through October 2013 at NRC headquarters in\n            Rockville, MD. Internal controls related to the audit objective were\n            reviewed and analyzed. Throughout the audit, auditors were aware of the\n            possibility or existence of fraud, waste, or misuse in the program.\n\n    METHODOLOGY\n\n            To address the audit objective, OIG auditors interviewed 42 NRC\n            managers and staff. Furthermore, OIG reviewed Federal and internal\n            agency guidance, including:\n\n               \xe2\x80\xa2   Standards for Internal Control in the Federal Government.\n               \xe2\x80\xa2   Clinger-Cohen Act of 1996.\n               \xe2\x80\xa2   Paperwork Reduction Act of 1995.\n               \xe2\x80\xa2   E-Government Act of 2002.\n               \xe2\x80\xa2   25 Point Implementation Plan to Reform Federal Information\n                   Technology Management.\n               \xe2\x80\xa2   OMB Memorandum M-11-29, Chief Information Officer Authorities.\n               \xe2\x80\xa2   NRC Management Directive 2.6, Information Technology\n                   Infrastructure.\n               \xe2\x80\xa2   NRC Management Directive 2.8, Project Management Methodology\n                   (PMM).\n\n            We conducted this performance audit in accordance with generally\n            accepted Government auditing standards. Those standards require that\n            we plan and perform the audit to obtain sufficient, appropriate evidence to\n\n                                         17\n\x0c                                   Audit of NRC\xe2\x80\x99s Information Technology Governance\n\n\n\nprovide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjective.\n\nThe audit was conducted by Beth Serepca, Team Leader;\nRobert Woodward, Audit Manager; Michael Blair, Senior Analyst;\nZiad Buhaissi, Senior Auditor; and Neil Doherty, Senior Analyst.\n\n\n\n\n                            18\n\x0c'